Advantech WebAccess < 7.0-2009.06.29 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9952

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is prior to 7.0-2009.06.29 and is affected by the following vulnerabilities :

- SQL injection vulnerabilities exist due to unspecified input not being properly sanitized before processing SQL queries. An unauthenticated, remote attacker can exploit these to inject SQL queries against the database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2011-4521, CVE-2012-0234, CVE-2012-0244)
- Unspecified cross-site scripting vulnerabilities exist due to improper validation of input data submitted to scripts 'bwerrdn.asp' and 'bwview.asp'. A remote attacker, using a specially crafted URL, can exploit these to execute arbitrary script code in the browser in the context of the user's session. (CVE-2011-4522, CVE-2011-4523)
- A buffer overflow condition exists due to a failure to properly sanitize user-supplied input. A remote, unauthenticated attacker, by using a very long string passed to unspecified parameters, can exploit this to execute arbitrary code. (CVE-2011-4524)
- A flaw exists that allows extracting arbitrary web page content into a batch file, which can then be executed. An unauthenticated, remote attacker can exploit this to write files to the server, allowing the execution of arbitrary code. (CVE-2011-4525)
- A buffer overflow condition exists due to a failure to properly sanitize user-supplied input to unspecified ActiveX parameters. An unauthenticated, remote attacker can exploit this, using a crafted long string, to execute arbitrary code. (CVE-2011-4526)
- A cross-site scripting vulnerability exists due to improper validation of unspecified input before returning it to the user. A remote attacker, using a specially crafted URL, can exploit this to execute arbitrary script code in the browser in the context of the user's session. (CVE-2012-0233)
- An unspecified cross-site request forgery (XSRF) vulnerability exists due to WebAccess not requiring explicit confirmation from the user for sensitive transactions. An attacker, by using a specially crafted GET request embedded in an 'img' tag, can exploit this vulnerability to execute commands in the context of the session between an authenticated user and the application. (CVE-2012-0235)
- An unspecified information disclosure vulnerability exists that allows an unauthenticated, remote attacker to obtain sensitive information by using a direct request to a URL. (CVE-2012-0236)
- An flaw exists that allows an unauthenticated, remote attacker to enable or disable the date and time syncing operations by using a crafted URL. (CVE-2012-0237)
- A stack-based buffer overflow condition exists in 'opcImg.asp' due to a failure to properly sanitize user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2012-0238)
- A flaw exits in the 'uaddUpAdmin.asp' script due to an authentication failure, which allows a remote attacker to modify an administrative password using a change password request. (CVE-2012-0239)
- A flaw exists in the authentication function in the 'GbScriptAddUp.asp' script, which allows a remote attacker to execute arbitrary code. (CVE-2012-0240)
- A memory corruption issue exists in the 'WriteTextData()' and 'CloseFile()' functions due to a failure to properly sanitize user-supplied input. A remote attacker, by using a crafted value in the 'fpt' parameter, can exploit this to cause a denial of service or execute arbitrary code. (CVE-2012-0241)
- A flaw in the 'bwocxrun.ocx' ActiveX control exists due to a failure by the 'OcxSpool()' method to properly sanitize user-supplied string format specifiers. A remote, unauthenticated attacker, by using crafted specifiers, can exploit this to execute arbitrary code. (CVE-2012-0242)
- A buffer overflow condition exists in the 'bwocxrun.ocx' ActiveX control due to a failure to properly sanitize user-supplied input. A remote attacker can exploit this to write arbitrary files to any pathname, allowing the execution of arbitrary code. (CVE-2012-0243)
- An unspecified SQL injection vulnerability exists due to input not being properly sanitized before processing SQL queries, which resulted from an incomplete fix for issue CVE-2012-0234. An unauthenticated, remote attacker can exploit this vulnerability to inject SQL queries against the database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2012-1234)

Solution

Upgrade to Advantech WebAccess version 7.0-2009.06.29 or later.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01

http://www.securityweek.com/advantech-failed-patch-serious-flaws-scada-product

Plugin Details

Severity: Critical

ID: 9952

Family: SCADA

Published: 2/14/2017

Updated: 3/6/2019

Nessus ID: 85691

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 2/16/2012

Vulnerability Publication Date: 2/16/2012

Reference Information

CVE: CVE-2011-4521, CVE-2011-4522, CVE-2011-4523, CVE-2011-4524, CVE-2011-4525, CVE-2011-4526, CVE-2012-0233, CVE-2012-0234, CVE-2012-0235, CVE-2012-0236, CVE-2012-0237, CVE-2012-0238, CVE-2012-0239, CVE-2012-0240, CVE-2012-0241, CVE-2012-0242, CVE-2012-0243, CVE-2012-0244, CVE-2012-1234

BID: 52051